On May 25, 2018, the General Data Protection Regulation (GDPR) will take effect in the European Union. The GDPR requires companies to get permission from customers before sharing their data. A company that does not comply with the GDPR could face a penalty of up to 4% of its global revenue.
The GDPR outlines several rights of consumers. Under the GDPR, companies must clearly get consent from customers before sharing their personal information. Also, if a data breach occurs, customer notification is mandatory within 72 hours of learning about the breach. Additionally, the GDPR includes the right of data erasure, which is the right to be forgotten under certain conditions.
GDPR Opt-In Requirement
Under the GDPR, users must give explicit consent to allow the sharing of their data. To comply, a company must place the consent to “opt-in” in a separate place from the terms of service. Any boxes on a signup form cannot be pre-checked to opt-in. Also, users must be able to easily withdraw any consent to share their information.
Good business practices will keep a company in compliance with the GDPR. For example, when a user signs up for a mailing list, a company should verify the user. By implementing a “double opt-in” feature, a user receives an email with a verification link. This method also prevents unwanted web bots from clogging up a company’s database.
U.S. Data Privacy Regulation
The Federal Trade Commission (FTC) is the primary U.S. agency that enforces privacy policies. As its mission, the FTC makes sure that companies keep their privacy promises and investigates companies that misuse consumer data.
The GDPR is influencing congressional lawmakers to push for a federal data privacy law. Several bills are currently on the table, which include:
- MY DATA Act – expands the authority of the FTC
- BROWSER Act – requires permission from users to collect sensitive data
- CONSENT Act – requires edge providers to obtain an opt-in consent to use data
In the aftermath of the Facebook privacy breach, the passage of a federal privacy bill is possible in the near future. Meanwhile, some state lawmakers may take their own initiative to pass a state privacy law. Currently, less than half of the states have a law that regulates privacy policies. In comparison, federal lawmakers have failed to pass a federal data breach notification law. As a result, the lack of a federal law caused all the states to pursue their own state data breach laws.
Alice M. Porch, Esq., CIPP/US, C|EH, Security+
Alice is a member of the Florida Bar, and she focuses on data privacy and cybersecurity compliance in her law practice. She attended the Warrington College of Business at the University of Florida and earned a Bachelor of Science in Business Administration. After graduating, she earned a Juris Doctor at the Stetson University College of Law. During law school, she served as an Assistant Executive Editor for Stetson Law Review and also as a Staff Editor for Stetson Journal of Advocacy and the Law. She currently serves as Chair of The Florida Bar Journal/News Editorial Board.
